R980 Ransomware

R980 Ransomware might be the culprit of the encryption of your personal files. According to our research, this infection should add the “.crypt” extension to the files it affects. However, the same extension can be added by Microsoft Decryptor Ransomware, Cryptxxx Ransomware, Chimera Ransomware, and other infamous ransomware infections. Just like all of these threats, the malicious threat we are discussing in this report targets personal files, not system files. The ransomware might encrypt .AVI, .BMP, .MP3, .RAR, and other types of files that are likely to represent audio/video files, documents, personal photos, etc. Although this infection could easily encrypt other kinds of files, it is likely to succeed most by corrupting valuable personal files. The purpose of this ransomware is to push you into paying a ransom, and it is unlikely that you would pay it in return of the decryption of system files, or other types of files that can be easily replaced. Keep reading to learn more, including how to remove R980 Ransomware.

Our research team has had the “pleasure” to analyze quite a few ransomware infections. Some of them paralyze certain system files to paralyze the entire operating systems. Others use the credentials of law enforcement organizations to trick users into paying what appears to look like “fines.” The malicious R980 Ransomware does not hide behind a mask, and it changes the wallpaper of the Desktop to introduce you to the demands of its creators. Additionally, a file named “DECRYPTION_INSTRUCTIONS.txt” is created as well. You can expect to find this file on the Desktop, as well as in every folder accommodating the encrypted files. Speaking of encryption, according to the information represented via the Desktop wallpaper, R980 Ransomware uses the combination of AES 256-bit and RSA-4096 encryption algorithms. It is most likely that one of them is used for the encryption of your files, and the other one is used for the encryption of the private key that you need to initiate file decryption. Of course, this key is hidden on a remote server, and you cannot retrieve it easily. This is exactly why many users agree to pay the ransom.

According to the “DECRYPTION_INSTRUCTIONS.txt” file, the victims of the malicious R980 Ransomware are expected to pay a ransom of 0.5 Bitcoins, which is around 312 USD or 279 Euro. Bitcoins must be bought on one of the Bitcoin markets. Then, a unique Bitcoin address must be used to send the sum demanded. Once you are done with this complicated process, you should be provided with a link to a functional decrypter that supposedly can “fix your files” via a public email inbox. So, where are the guarantees? Unfortunately, there are none, and you are expected to trust the word of cyber criminals. Of course, you are left with no other option, but you must keep in mind that there is a huge risk that your files will remain encrypted after you pay the ransom! If you do not want to risk losing you money, paying the ransom is not an option. The problem is that, at this moment, a third-party tool capable of deciphering the encryption of R980 Ransomware does not exist. Hopefully, it will be created at some point, but right now, the only way to decrypt files is by paying a ransom, and this method is too unpredictable and risky.

If you have backed up your personal photos, documents, and other personal files before the invasion of the malicious R980 Ransomware, you do not need to pay the ransom or follow any other demands. Instead, employ an automated malware detection and removal tool right away to erase this threat from your operating system. We suggest using automated removal software because the components of this malicious threat might be hard to identify. On top of that, other malicious threats could be active! Although it is most likely that this ransomware was spread via a spam email attachment that you opened thinking it is something else, it could also be downloaded by clandestine Trojans. Moreover, your operating system is currently vulnerable, and only reliable security software can solve this problem! If you still want to try deleting R980 Ransomware manually, follow the guide below, and do not forget to a use a malware scanner.

R980 Ransomware Removal

Right-click and Delete the malicious file that has launched R980 Ransomware (e.g., a malicious file attached to a misleading spam email attachment).

Right-click and Delete the DECRYPTION_INSTRUCTIONS.txt on the Desktop (and other locations).

Launch Explorer (simultaneously tap Win+E) and enter %Temp% into the bar at the top.

Right-click and Delete the file called Taskhost.exe (note that the name might be different).

Launch RUN (simultaneously tap Win+R) and enter regedit.exe into the dialog box.

In Registry Editor move to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

Right-click and Delete the value named BeeCrypt (data value should show the location of the Taskhost.exe file. Note that if these names do not match, they might be different).

Restart your PC and immediately perform a full system scan to see if it is clear from malware.